Commit Graph

193 Commits

Author SHA1 Message Date
Oswald Buddenhagen
aba3524d9b make it possible to disable usage of system cert store 2014-10-18 16:18:48 +02:00
Oswald Buddenhagen
2745813367 re-design SSL/TLS configuration
the combinations of the various options made quite a mess. additionally,
'RequireSSL no' is inherently insecure - "use SSL if available" is plain
stupid.

the old options are still accepted, but will elicit a warning.
2014-10-18 16:18:48 +02:00
Oswald Buddenhagen
aa4f7a7d00 move use_imaps out of server_conf_t
it doesn't belong there - it's a property of imap_server_conf_t.
the port setup is now done while reading the config.

this makes socket.[hc] imap-agnostic.
2014-10-18 16:15:02 +02:00
Oswald Buddenhagen
47897d2403 fix memory management of current mailbox name
it was a stupid idea to store the pointer to a variable we need to
dispose in a structure which has its own lifetime.
2014-10-04 18:37:34 +02:00
Oswald Buddenhagen
4f383a8074 stop abusing memcmp()
memcmp() is unfortunately not guaranteed to read forward byte-by-byte,
which means that the clever use as a strncmp() without the pointless
strlen()s is not permitted, and can actually misbehave with
SSE-optimized string functions.

so implement proper equals() and starts_with() functions. as a bonus,
the calls are less cryptic.
2014-10-04 18:37:34 +02:00
Oswald Buddenhagen
003ddb2199 permit IMAP Stores with explicitly empty Path
this is useful if the server sends an unhelpful NAMESPACE like
"INBOX." (which precludes clean use of Patterns with the real INBOX).
2014-10-04 18:37:34 +02:00
Oswald Buddenhagen
f385355bdb don't attempt to filter LIST response if there is no Path
we won't filter anything in that case anyway.
2014-10-04 18:37:34 +02:00
Oswald Buddenhagen
608834c6f1 permit Maildir Stores without a Path
it is perfectly reasonable to have a Store which has only an Inbox.
2014-10-04 18:37:33 +02:00
Oswald Buddenhagen
6ad7371f46 use resolved Path for initial filtering of LIST response
otherwise we'd ignore NAMESPACE, and funny things could happen.
2014-10-04 18:37:33 +02:00
Oswald Buddenhagen
de82023427 consider unexpected structure of NAMESPACE fatal 2014-10-04 18:37:33 +02:00
Oswald Buddenhagen
9a463768ea complain about RequireSSL with no SSL versions enabled 2014-07-06 10:10:12 +02:00
Oswald Buddenhagen
06c731cbf8 actually use STARTTLS if only TLSv1.1 or TLSv1.2 is enabled 2014-07-06 10:09:38 +02:00
Oswald Buddenhagen
95db373e54 clarify error message about missing connection details 2014-07-06 09:09:54 +02:00
Oswald Buddenhagen
834a65d85c make store/account error messages less redundant
this will become more relevant when more are added.
2014-07-06 09:09:54 +02:00
Oswald Buddenhagen
639c84ea28 don't ignore RequireSSL for PREAUTHenticated connections
such connections don't support STARTTLS. that is reasonable, as whatever
makes the connection preauthenticated (typically a Tunnel used to launch
imapd via a shell login) must already rely on the connection's security.
consequently, we would not try to use STARTTLS with such connections.
unfortunately, we'd also skip the RequireSSL check as a side effect.

this means that a rogue server (via a MITM attack) could simply offer a
preauthenticated connection to make us not use SSL, and thus bypass
server authentication. as a result, we could send potentially sensitive
data to the attacker:
- with Patterns used, we would send a LIST command which reveals the
  remote Path setting. this isn't very useful to an attacker. also, IMAP
  Accounts usually rely on the server-provided NAMESPACE to start with.
- with Create enabled for the remote Store, we would upload messages
  from newly appeared local folders. this isn't a very likely situation,
  unless the attacker manages to convince the victim to move/copy
  interesting mails to a new folder right before the attack.
- with Expunge enabled for the local Store, previously synchronized
  folders would be wiped. however, this would require the attacker to
  know the correct UIDVALIDITY of each remote folder, which would
  require incredible luck or convincing the victim to disclose them.
  the first mismatch would likely tip off the victim.

in practice, someone with the level of technical and social engineering
skills required for this attack would very likely find more attractive
attack vectors. therefore, i don't consider this a particularly serious
issue.

configurations with UseIMAPS enabled or using a secure Tunnel were not
affected to start with.

a side effect of this fix is that most users of Tunnel will now need to
explicitly set RequireSSL to false.
an alternative approach would be defaulting all SSL-related settings to
off when Tunnel is used. this would be too invasive for a patch release,
but i'll consider it for 1.2.

see also CVE-2014-2567 for the Trojita MUA.
2014-07-06 09:09:54 +02:00
Oswald Buddenhagen
8513358e0a zero-terminate imap literals
now that we properly support literals for strings, we must expect that
the consumer code will use them as strings.

amends fc77feacc.

discovered by Armands Liepins <armandsl@gmail.com>

REFMAIL: CAF_KswXoxdm7KXnWW4b_1odf=XsE4qRqRN4AsecwcPF1d+dSTA@mail.gmail.com
2014-06-28 11:04:41 +02:00
Oswald Buddenhagen
ae49a37a3e don't crash on malformed response code
this would happen in the absurd corner case that the response code is
properly terminated with a closing bracket, but the atom itself is an
unterminated double-quoted string.

NOT found by coverity.
2014-04-12 15:02:40 +02:00
Oswald Buddenhagen
fd872a7ff7 don't crash on truncated LIST response
found by coverity.
2014-04-12 14:58:18 +02:00
Oswald Buddenhagen
3161540ab9 fix crash on store without prior fetch with non-UIDPLUS servers
we'd never initialize the message list append pointer, so
imap_find_new_msgs()'s FETCH would go awry.

REFMAIL: <20140207101719.GB17125@mac.home>
2014-02-08 13:29:35 +01:00
Oswald Buddenhagen
f4a192f375 don't error out if we don't get an X-TUID header
the BODY[] item in the FETCH response corresponds to what we requested,
and its presence doesn't imply that it actually contains anything useful
- new messages may appear in the mailbox in addition to those we stored
ourselves, and these will obviously have no TUID.
2014-01-25 11:34:03 +01:00
Oswald Buddenhagen
aee0fa3b68 make date parsing portable, take 2
the global timezone variable is glibc-specific.
so use timegm() instead of mktime() for the conversion.
as that is specific to the BSDs and glibc, provide a fallback.
amends 62a6099.
2014-01-02 21:09:09 +01:00
Oswald Buddenhagen
4fa5779193 avoid array underflow in IMAP LIST .lock workaround
suggested by Mark Wielaard <mark@klomp.org>.

fwiw, the workaround really is still necessary with panda imap ...
2013-12-15 13:46:06 +01:00
Oswald Buddenhagen
2f0fbcd306 don't use UID EXPUNGE unless trashing
a simple CLOSE is way more efficient, so use it if no adverse effects
can come from it.
2013-12-11 16:29:33 +01:00
Oswald Buddenhagen
03b3b566f1 reshuffle sources a bit
split header and move some code to more logical places.
2013-12-08 23:19:12 +01:00
Oswald Buddenhagen
92b892d247 tag verbose output when channel links two verbose stores
otherwise it's pure guesswork to assign the output to particular stores.
2013-12-08 23:14:34 +01:00
Oswald Buddenhagen
27fa63a577 move verbose socket logging out of socket driver
the way it's used, it's more of a high-level function.
2013-12-08 23:14:34 +01:00
Oswald Buddenhagen
0b32734693 remove own_store() function from driver model
the drivers which support it can abstract it inside open_store() just
fine.
2013-12-08 23:14:34 +01:00
Oswald Buddenhagen
2cb483fb2e make use of IMAP MOVE extension
the Maildir driver is always exposing behavior equivalent to this - it's
more efficient.
2013-12-08 23:14:34 +01:00
Oswald Buddenhagen
1e427f5cd5 do not unnecessarily use bitfields
they don't save much (if any) space in our usage, while they make the
machine code more bloated and slow.
2013-12-08 11:12:09 +01:00
Oswald Buddenhagen
8e49300cf7 initialize struct tm
strptime() does not initialize at least tm_isdst, which leads to an
uninited value reference in mktime().
2013-12-01 13:36:27 +01:00
Oswald Buddenhagen
62a60997c3 make use of strptime() portable
it does not (officially) support the %z conversion, so re-implement that
part by hand.
2013-12-01 13:36:26 +01:00
Oswald Buddenhagen
55e65147df fix compilation with older gcc versions
the warning suppression pragma within function scope is apparently a new
thing.
as i don't want to disable the check for the entire function (even if
this currently would make no difference), just use a wrapper function
to suppress the format string check.
2013-12-01 13:36:26 +01:00
Oswald Buddenhagen
b570c17766 deal with messages disappearing between being listed and fetched 2013-09-26 09:17:08 +02:00
Oswald Buddenhagen
2213d6976c support backslashes and quotes in quoted IMAP strings
the RFCs require it - well hidden in the BNF at the bottom.

patch somewhat inspired by "guns" <self@sungpae.com>.
2013-09-26 09:17:08 +02:00
Oswald Buddenhagen
c0bf867669 make next_arg() more readable & efficient 2013-09-26 09:17:08 +02:00
Oswald Buddenhagen
0b59ee0df3 support multi-character path separators
this applies to both the IMAP PathDelimiter (which is needed by Lotus
Domino), as well as the Flatten-ed separators.
2013-08-11 10:20:02 +02:00
Oswald Buddenhagen
1b67c49965 CHECK before FETCH after STORE
m$ exchange does not seem to update the index in time otherwise.
2013-08-11 10:20:02 +02:00
Oswald Buddenhagen
eb1f10762f added sync support for the arrival date of messages
initial patch by Marc Hoersken <info@marc-hoersken.de>
2013-08-03 18:54:34 +02:00
Oswald Buddenhagen
6dfccb76a5 be somewhat stricter about the LIST response syntax
the first token *must* be a list.
2013-07-27 18:40:19 +02:00
Oswald Buddenhagen
a0dc37339e allow the mailbox names in LIST responses to be literals
Lotus Domino seems to send them like that.
2013-07-27 18:40:16 +02:00
Oswald Buddenhagen
fc77feacc5 make parse_list() callback based
this allows us to parse IMAP literals ({}) in every list.
2013-07-27 18:39:39 +02:00
Oswald Buddenhagen
bf049d6466 add PassCmd option to query IMAP password dynamically
inspired by patches by
Aurélien Francillon <aurelien.francillon@eurecom.fr>,
Martin Stenberg <martin@gnutiken.se> and
sbfnk@users.sf.net.
2013-07-27 11:31:31 +02:00
Oswald Buddenhagen
ca3a319e60 update copyrights 2013-04-20 16:57:16 +02:00
Oswald Buddenhagen
4ab55dc468 don't try to fetch status of minus one message
this would happen if we were trying to find newly pushed messages, but
none actually arrived.
as imap's ranges are not ordered, this would actually fetch one message.
2013-03-30 16:46:18 +01:00
Oswald Buddenhagen
fbfcfea5dc fix cram-md5 authentication
we need to send a newline after the response for imap to grok it.
2013-03-23 10:38:27 +01:00
Oswald Buddenhagen
3363ad0f11 fix crashes in imap_open_store() error paths
it's not a good idea to invoke imap_open_store_bail() twice, either ...
2013-03-23 10:34:51 +01:00
Oswald Buddenhagen
fbba8f1cda add support for (disabling) TLS v1.1 and v1.2 2013-02-10 09:56:33 +01:00
Oswald Buddenhagen
c7ebe2da95 more error checking of IMAP responses
REFMAIL: CA+Tk8fyu-6bwXq=ee2BgcKK_13m9S0RS+-0DhM=_jFqSKCH8aw@mail.gmail.com
2012-10-16 09:37:19 +02:00
Oswald Buddenhagen
8dbb3fe7a9 flush stdout more
to make sure it is timely written and not interleaved with stderr even
when when redirected.
2012-09-22 17:48:09 +02:00
Oswald Buddenhagen
16e5aade3f store config error status in conffile_t object
this makes passing it around more straight-forward
2012-09-15 11:46:42 +02:00
Oswald Buddenhagen
725a122e91 make config parser a bit more careful about quotes
the parsing is more shell-like now:
- quoted and unquoted parts can be mixed in one argument
- the hashmark can be meaningfully quoted
2012-09-15 11:24:57 +02:00
Oswald Buddenhagen
f11504aa07 update copyrights
make the wrapper's help string also mention copyrights pertaining only
to the actual syncer, as this is the only string many people will ever
see.
2012-09-01 21:15:53 +02:00
Oswald Buddenhagen
d4c786823d replace FSF address with something more ... contemporary 2012-09-01 21:15:53 +02:00
Oswald Buddenhagen
18225344c6 make use of UID EXPUNGE 2012-09-01 21:15:52 +02:00
Oswald Buddenhagen
2585dd3324 add support for hierarchical mailboxes 2012-09-01 21:15:18 +02:00
Oswald Buddenhagen
a3f66f8f1d refactor: imap_select2_p2 => imap_refcounted_done_box
soon, we'll use it for something different, too
2012-09-01 21:15:08 +02:00
Oswald Buddenhagen
1bc9c6d9cf reject qualified mailboxes with the magic name INBOX
otherwise we couldn't tell them apart from the real INBOX after
stripping away the Path.
2012-09-01 21:15:07 +02:00
Oswald Buddenhagen
9bbb02b8fd Revert "fix UIDNEXT handling"
in fact, UIDNEXT (and UIDVALIDITY) null is *not* allowed (see RFC3501
section 9). them popping up nonetheless was a dovecot bug (which would
also confuse dovecot itself).
having it in as a workaround was no good either, as quite some other
code in mbsync assumes that UIDs are not null.

This reverts commit e1fa867 and most of 39006d7.

-REFMAIL: 4CA62BA1.4020104@lemma.co.uk
2012-09-01 21:15:07 +02:00
Oswald Buddenhagen
9c86ec3442 employ alternative scheme to finding messages by TUID
instead of SEARCHing every single message (which is slow and happens to
be unreliabe with M$ Exchange 2010), just FETCH the new messages from
the mailbox - the ones we just appended will be amongst them.
2012-09-01 21:15:07 +02:00
Oswald Buddenhagen
d2bed4990d unify error reporting
- introduce sys_error() and use it instead of perror() and
  error(strerror()) in all expected error conditions
- perror() is used only for "something's really wrong with the system"
  kind of errors
- file names, etc. are quoted if they are not validated yet, so e.g. an
  empty string becomes immediately obvious
- improve and unify language
- add missing newlines
2012-09-01 21:15:07 +02:00
Oswald Buddenhagen
256a147945 compile with -ansi -pedantic on gcc
greatly helps portability ...
2012-09-01 21:15:06 +02:00
Oswald Buddenhagen
faeb9b5bf7 centralize imap_cmd_refcounted_state refcount decrementing
no else branches remain, so the if() can be put into
imap_refcounted_done()
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
f5086f735c get rid of redundant literal_pending state flag 2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
bd93d689db fully asynchronous IMAP operation
- asynchronous sockets using an event loop
  - connect & starttls have completion callback parameters
  - callbacks for notification about filled input buffer and emptied
    output buffer
- unsent imap command queue
  - used when
    - socket output buffer is non-empty
    - number of commands in flight exceeds limit
    - last sent command requires round-trip
    - command has a dependency on completion of previous command
  - trashnc is tri-state so only a single "scout" trash APPEND/COPY is
    sent at first. a possibly resulting CREATE is injected in front of
    the remaining trash commands, so they can succeed (or be cancel()d
    if it fails).
  - queue's presence necessitates imap_cancel implementation
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
802c99edcf make socket read/write error reporting callback-based
the functions still have synchronous return codes as well - this enables
early error returns without having to resort to refcounting.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
f1df2f40d1 decouple the filling of the read buffer from consuming it
this prepares the code for being called from a callback.

notably, this makes the imap list parser have a "soft stack", so the
recursion can be suspended at any time.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
886cd03e37 centralize imap_cmd disposal 2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
f8d73ac346 make socket_write() capable of taking ownership of the buffer
that way the user code doesn't have to free it any more.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
8a72d204c9 change socket_write() return code semantics
instead of returning a write()-like result, return only a binary status
code - write errors are handled internally anyway, so user code doesn't
have to check the write length.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
a85013d6ff make IMAP pipeline depth configurable
currently, this affects only "clustered" message listings and
flag stores.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
a266f28f1c cancel submitted commands when canceling store
we already have some minimal asynchronicity, so there might be commands
in flight when a fatal error comes in.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
171f7d6cd3 Socket_t + buffer_t => conn_t
remove the layering, in favor of a "buffered connection" abstraction.
2012-09-01 16:03:36 +02:00
Oswald Buddenhagen
ef41349035 move socket code to a separate file
this makes the layering more obvious
2012-09-01 16:03:35 +02:00
Oswald Buddenhagen
d1ee94f02c move greeting response handling into get_cmd_result()
the primary purpose of this is getting rid of the "free-standing"
buffer_gets() call.
2012-09-01 16:03:35 +02:00
Oswald Buddenhagen
584e51ed7d docs
- insert "separator comments" between driver entry points
- document driver API
- document sync_vars_t parts that are stored in the sync state header
2012-09-01 16:03:35 +02:00
Oswald Buddenhagen
2ab689b3df make imap_exec() result reporting callback-based
this makes the IMAP command submission interface asynchronous.

the functions still have synchronous return codes as well - this enables
clean error return paths. only when we invoke callbacks we resort to
refcounting.

as a "side effect", properly sequence commands after CREATE resulting
from [TRYCREATE].
2012-09-01 16:03:35 +02:00
Oswald Buddenhagen
05fd0b9970 split out drv->load() from drv->select() 2012-09-01 16:02:50 +02:00
Oswald Buddenhagen
7addc3bea8 minor cleanup: use ctx->gen instead of gctx for consistency 2012-07-30 01:21:32 +02:00
Oswald Buddenhagen
ea951a697f fix error paths wrt sync drivers, take 2
synchronous error codes which are passed through callbacks aren't a
particularly good idea, after all: latest when the callback does stuff
which does not concern the caller, the return code becomes ambiguous.
instead, protect the sync_vars object with a refcount when invoking
driver functions from loops, as the callbacks they call could invalidate
the object and we would have no way of knowing that the loop should be
aborted prematurely. the upcoming async imap driver will also need a
refcount to protect the cancelation marker of the imap socket dispatcher
loop.
2012-07-30 01:21:32 +02:00
Oswald Buddenhagen
b0bbd23512 replace DRV_STORE_BAD with a separate bad_callback()
that way we don't have to piggy-back (possibly asynchronous) fatal
errors to particular commands.

internally, the drivers still use synchronous return values as well,
so they don't try to access the invalidated store after calling back.
2012-07-30 01:21:31 +02:00
Oswald Buddenhagen
9554026443 make drv->cancel()'s callback have no status code
this function is not going to actually execute any commands, so it
makes no sense for the callback to have a status code.
2012-07-29 12:25:24 +02:00
Oswald Buddenhagen
06ccac1fdd always use return value from get_cmd_result()
once we have callback-based error reporting, this will ensure that we
don't operate on invalidated data structures.
2012-07-22 17:27:42 +02:00
Oswald Buddenhagen
121ce76e46 make response code parse failure of untagged OK/NO/BYE/BAD non-fatal
as such, it does not disrupt the data stream
2012-07-22 17:27:42 +02:00
Oswald Buddenhagen
4d4de6e275 remove redundant use_ssl variables
just use the presence of an SSL object as an indicator. if something
goes wrong during the ssl handshake or certificate validation, the
socket must be immediately closed anyway.
2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
17dc64b414 after [TRYCREATE], just resend the same command instead of cloning it 2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
83efbe327d use return values from correct set in get_cmd_result()
DRV_OK == RESP_OK, so this worked by accident
2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
99cc328f17 do away with the dreaded rcaps hack
don't pretend that the server has no literal+ for the time of the
first relevant command's synchronous execution. instead, enable the
lower layer to do the processing by telling it for which commands
trashnc ("trash's existence not confirmed") is relevant.
2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
1545ed90a0 purge imap_store_t::currentnc vestiges
we always actually open the mailbox before appending to it, so we
obviously know that it exists - that's why the code was already
commented out. changing this assumption would significantly complicate
matters for little gain, so let's just assume it won't happen.

consequently, also don't set param.create when appending to regular
mailboxes.
2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
c66afdc0a8 move setting of ctx->listed outside the drivers
it's essentially an external state flag
2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
61d98c5a1d fix a bunch of warnings 2012-07-07 18:00:47 +02:00
Oswald Buddenhagen
4afd31a457 avoid preprocessor warnings on missing features: #if => #ifdef 2011-03-27 12:06:41 +02:00
Oswald Buddenhagen
cf6a7b4d18 less bizarre code
we know that there is only one command in progress, so there
is no need to employ tricks to access the last command.
2011-03-27 11:54:48 +02:00
Oswald Buddenhagen
7e1c16ae02 make cram() sane
- don't silently fail in release mode (expression with side effects
  inside assert())
- save some redundand strlen()s by not throwing away known lengths
- reorganize the code for legibility
2011-03-27 11:54:48 +02:00
Oswald Buddenhagen
2c729bf9e6 don't leak SSL objects 2011-03-27 11:54:45 +02:00
Oswald Buddenhagen
d637772339 turns out, free(NULL) is just fine ... 2010-11-14 16:44:50 +01:00
Oswald Buddenhagen
e1fa867423 fix UIDNEXT handling
UIDNEXT *can* be legally zero, so deal with it.

-REFMAIL: 4CA62BA1.4020104@lemma.co.uk
2010-10-03 14:33:24 +02:00
Oswald Buddenhagen
5ade279839 don't hang after failed start_tls()
we'd send a LOGOUT command in plain text while the server was already
expecting an encrypted command, which would typically lead to waiting
for more data and thus an indefinite hang.
so close the socket immediately instead of letting the normal shutdown
path take care of it.
inspired by a patch by Steven Flintham.

-REFMAIL: 4C9AB98E.3000400@lemma.co.uk
2010-10-03 12:37:59 +02:00
Oswald Buddenhagen
70e87eb99e remove useless message
don't complain about missing greeting response - we already complained
about an unexpected EOF anyway.
2010-10-03 12:37:59 +02:00
Oswald Buddenhagen
90a38ea810 assert valid file handles
i've seen error logs of the type
  SSL_write: Bad file descriptor
and i simply can't nail it, so go for some more drastic measures.
2010-10-03 12:37:59 +02:00
Oswald Buddenhagen
72fd2aafb7 formatting 2010-10-03 12:37:59 +02:00